[EMAIL PROTECTED] wrote:
Also, speaking of detection, I made a small script that can protect against people downloading your site's forms, modifying their new local copy (and putting an absolute URL in the form's ACTION attribute), and then posting data using the botched form. If it's bulletproof, then I figured this could help some of you out. If not, I welcome comments (I'm a little bit hesitant of calling things 'bulletproof'). $http_referer (lowercase) is the parse_url() of $_SERVER["HTTP_REFERER"]. Some local mucking up can give you the format you want for it.if((count($_POST) > 0) && (!stristr($_SERVER["HTTP_REFERER"], $http_referer))) { unset($_POST); $evil = "postedfromoutsidepage"; } Then, you can test for $evil when you need to print an error message or decide whether or not the data is proper.
HTTP_REFFERER is sent by the client and is not a secure value
it is easy to write a script in eg PHP that will fetch a web page with a completely bogus referrer url...
some people argue that cheching the referrer url 'raises the bar' security wise - personnaly I think this sort of illusory security leads to complacency in data checking.
I think it is better to always remeber that data can be posted to your server by many means - treat all data as suspect until proven otherwise.
In addition this method can make code less portable between servers.
--
Sean
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
